Filter
Top Products
8-30
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
Table 8-8 LDAP: Directory Organization Page
Option Description
Schema
Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records
have several values for the objectClass attribute, some of which are unique to the subject,
some of which are shared with other object types.
This box should contain a value that is not shared. Valid values are from 1 to 20 characters
and must be a valid LDAP object type. This parameter can contain any UTF-8 characters.
(Default = Person.)
Group Object class Enter the group object class that you want to use in searches that identify objects as groups.
(Default = GroupOfUniqueNames.)
Subject Name Attribute Name of the attribute in the subject record that contains the subject name. You can obtain this
attribute name from your directory server. This attribute specifies the subject name in the
LDAP schema. You use this attribute to construct queries to search for subject objects.
For more information, refer to the LDAP database documentation. Valid values are from 1 to
20 characters and must be a valid LDAP attribute. This parameter can contain any UTF-8
characters. Common values are uid and CN. (Default = uid.)
Group Map Attribute For user authentication, user lookup, and MAC address lookup, ACS must retrieve group
membership information from LDAP databases. LDAP servers represent an association
between a subject (a user or a host) and a group in one of the following two ways:
• Groups refer to subjects
• Subjects refer to groups
The Group Map Attribute contains the mapping information.
You must enter the attribute that contains the mapping information: an attribute in either the
subject or the group, depending on:
• If you select the Subject Objects Contain Reference To Groups radio button, enter a
subject attribute.
• If you select Group Objects Contain Reference To Subjects radio button, enter a group
attribute.
Group Name Attribute Name of the attribute in the group record that contains the group name. You can obtain this
attribute name from your directory server. This attribute specifies the group name in the LDAP
schema. You use this attribute to construct queries to search for group objects.
For more information, refer to the LDAP database documentation. Common values are DN
and CN. (Default = DN.).
Certificate Attribute Enter the attribute that contains certificate definitions. These definitions can optionally be
used to validate certificates presented by clients when defined as part of a certificate
authentication profile. In such cases, a binary comparison is performed between the client
certificate and the certificate retrieved from the LDAP identity store.
Subject Objects Contain
Reference To Groups
Click if the subject objects contain a reference to groups.
Group Objects Contain
Reference To Subjects
Click if the group objects contain a reference to subjects.